Articles by Practice Area
Hong Kong Broadband Hack: Implications for Retention of Customer Data by Insurers
By Adelina Wong, Consultant, Insurance, Oldham, Li & Nie
Recent hacks into the customer databases of a telecommunications company and travel agencies have put the spotlight on how companies retain customer data and may lead to a revamp of data protection law in Hong Kong. These developments have far-reaching implications for insurers, who in the course of providing insurance services to the public, collect and process large amounts of personal data relating to existing, prospective and former customers.
HK Broadband Data Breach
Hong Kong Broadband Network, the second largest fixed-line residential broadband provider in Hong Kong, revealed a few weeks ago that an inactive customer database on an active server had been accessed without its authorization. Private information of some 380,000 former and existing customers was potentially compromised in the hack, including their names, ID card numbers, home addresses, telephone numbers and credit card details. The personal information dated back to 2012 and included information of customers who had not been active since 2012. It later came to light that the compromised inactive database was not encrypted, unlike other active databases maintained by the company.
With the fallout from the hack, including extensive media reports and initiation of a compliance review by Hong Kong’s Privacy Commissioner for Personal Data, the company announced that it would purge the data of 900,000 former customers and reduce its information retention period on past customers from seven years to six months. In this regard, Hong Kong Broadband admitted that it had mistakenly applied its 7-year rule for retention of business records to customer information as well. Going forward, the company indicated that it will not only shorten its data retention period for past customers but also change the way existing customer information is stored. In particular, Hong Kong ID card numbers and credit card numbers held in customer databases would have some digits deleted to make the information less attractive to hackers.
Implications for Insurers
Currently, Hong Kong’s Personal Data (Privacy) Ordinance, which has been in force since 1996, does not definitively state how long data users should keep personal data. Data Protection Principle 2(2) merely provides that personal data should not be kept “longer than is necessary for the fulfillment of the purpose (for which the data was to be used)”. However, Privacy Commissioner Stephen Wong has indicated that he is satisfied with the remedial actions to be taken by Hong Kong Broadband. A 2004 case arising from a complaint to the Privacy Commissioner by an unsuccessful insurance applicant regarding retention of his application data by the insurer is also instructive.
In that case, an investigation by the Office of the Privacy Commissioner for Personal Data (“PCPD”) found that the insurer’s practice was to retain personal data of unsuccessful insurance applicants for an indefinite period of time. In support of this practice, the insurer cited legal requirements for keeping books of accounts and the need to maintain a record in case of future applications, inquiries, potential litigation and complaints. The Commissioner at the time found however that those reasons did not justify the indefinite retention of personal data where money transactions (e.g. involving the payment of premiums) were not involved. In such cases, the Commissioner determined that a retention period of 2 years would suffice for the purposes stated. Even where money transactions were involved, the retention period should be limited to 7 years (the period prescribed in applicable ordinances for keeping books of account). The PCPD served an enforcement notice on the insurer requiring it to erase any data which had been kept for longer than the periods prescribed, pursuant to which the insurer erased more than 7000 records.
Of course, each case has to be considered on its own facts. However, indiscriminate retention of personal data, or blanket retention of personal data for 7 years (or other arbitrary period), will be hard to justify if a complaint is made to the PCPD. Insurers would be well advised to establish a considered policy in relation to their and their agents’ retention and use of data which takes into account the nature of the customer (e.g. existing or former policyholder or unsuccessful applicant) and factors which may justify a longer or shorter retention period.
This is all the more important given that the Privacy Commissioner has indicated that he will review the Personal Data (Privacy) Ordinance to see if it affords enough protection in light of recent data leaks and global trends, including the adoption of a new data protection framework under General Data Protection Regulation (GDPR) in the EU from May 25, 2018. GDPR significantly enhances the data privacy rights of individuals in the EU, including the “right to be forgotten” – or demand erasure of personal data which is “no longer necessary in relation to the purposes for which they were collected”, subject to limited exceptions where retention of the data is required by law or justified in the public interest etc. With the global trend to enhance the data privacy rights of individuals, it will be incumbent on insurers to achieve a deeper understanding of the various purposes for which personal data are kept or processed, since different retention periods may apply according to such purposes. For example, personal data which may not justifiably be retained/used for marketing purposes may nevertheless be retained/used to comply with legal or accounting requirements. Thus, insurers will have to be able to classify data appropriately and have the systems capability to flexibly remove data from certain applications while keeping it for others.
Hong Kong law firm, Oldham, Li & Nie (OLN) is pleased to have agreed a new collaboration with international law firm, DAC Beachcroft LLP as it continues to expand and develop new business groups.
The firms will draw on each other’s respective insurance and reinsurance practices and cooperate in additional areas of the law to provide a full range of services to clients in Hong Kong, based on DAC Beachcroft’s extensive insurance practice and OLN’s local Hong Kong expertise and relationships.
Greg Crichton and Adelina Wong will jointly lead the collaboration on behalf of OLN. Prior to joining OLN, Greg Crichton worked for many years in the insurance and reinsurance industry in Asia and was a Director, EVP and General Counsel at American International Assurance (AIA). Adelina Wong was a Senior Legal Counsel of AIA based in Hong Kong, and has significant expertise in Hong Kong’s insurance regulatory environment.
Insurance and reinsurance partner in DAC Beachcroft's Singapore office, Steven Dewhurst, who leads the firm’s Asian practice is driving this collaboration for the firm. Steven is admitted to practice in Hong Kong as well as England and Wales, and has decades of experience in insurance and reinsurance matters. As part of the move, Steven will also become a consultant with OLN.
"Closely collaborating with DAC Beachcroft, and its market leading insurance practice, is a tremendous development for OLN. It brings together a heavy weight team led jointly by Steven, Greg and Adelina, who share a profound knowledge of the global insurance sector and close client relationships in Hong Kong and throughout the Asia Pacific region." Stated Gordon Oldham, Senior Partner of OLN.
DAC Beachcroft Managing Partner, David Pollitt, said: "We are pleased to have formalised this new collaboration with OLN, a firm with deep local and sector knowledge and with which we share a commitment to our clients. Driven by client demand, this goes beyond simply cross-referrals; the new arrangement will enable us to provide comprehensive legal solutions for our multi-national clients in this important region for our business. We look forward to working with them."
For more information, please contact Liz Kenyon on 2868 0696 / email@example.com.
By Adelina Wong, Consultant, Insurance, Oldham, Li & Nie
Vicarious liability is the legal doctrine that holds one party liable for wrongdoing committed by another, typically where the party held liable is superior to or has some right to control the other’s actions. This most commonly arises in the employment context, where an employer is generally held liable for any tort committed by an employee in the course of his/her duties. However, vicarious liability is not limited to the employment relationship and can extend to the relationship between insurer and insurance agent.
Recent cases affirm that the relationship between insurer and agent can give rise to vicarious liability, even though the agent is not the insurer’s employee and the agent’s contract with the insurer explicitly denies any employment relationship. In deciding whether to impose vicarious liability, courts will consider if this is fair, just and reasonable taking into account the overall relationship (including the insurer’s control over the agent) and enterprise risk considerations, including the insurer’s business model, the regulatory framework governing the insurance industry and deterrence of future harm. In Hong Kong, many agents are tied exclusively to one insurer and even non-exclusive agents are bound under the HKFI Code of Practice to represent no more than four insurers, including no more than 2 long-term insurers. These ties between insurer and agent, and the functions performed by the agent on the insurer’s behalf, tend to create circumstances where a court may find vicarious liability.
- Case Analysis
A recent Singapore case, in which a major life insurer was held vicariously liable for an agent’s fraud, is instructive. In that case, the agent had sold the plaintiffs (an elderly Indonesian couple) a fictitious 5-year life insurance policy. Funds remitted by the plaintiffs for the fake policy were used by the agent to buy unauthorized policies in the plaintiffs’ names, which the agent later deceived the plaintiffs into surrendering. The funds were then misappropriated by the agent. Throughout this process, the insurer relied on the agent to liaise with the plaintiffs regarding the policies they held and to transmit instructions as to how to handle their money, refund cheques and surrender proceeds.
In finding the insurer vicariously liable for the agent’s fraud, the Singapore High Court applied a 2-stage test, under which vicarious liability will be imposed where:
- There is a “special relationship” between the tortfeasor (fraud perpetrator) and the defendant making it “fair, just and reasonable” for liability to be imposed; and
- The conduct of the tortfeasor is closely connected to his/her relationship with the defendant, particularly where that relationship materially increases the risk of the fraud being committed.
In applying this test for vicarious liability, the Singapore Court followed an established line of UK and Canadian caw law which identified two policy considerations for imposing liability: 1) effective compensation for the victim; and 2) enterprise risk theory, which holds that an enterprise which engages agents to advance its business interests and creates the risk of those agents committing wrongs against third parties should bear responsibility for the consequences, since it is best placed (and should be incentivized) to manage the risks and prevent wrongdoing.
Under the first stage of the test (requiring a special relationship between tortfeasor and defendant), vicarious liability is no longer restricted to employment relationships and the court will examine the facts to see if the relationship has some of the same fundamental qualities inherent in employer-employee relationships, including control over the tortfeasor (agent) and integration of his/her activities in the defendant’s (insurer’s) enterprise. On the facts of the Singapore case, the court found that these elements were present, noting that even though the agent’s contract with the insurer specifically stated that the agent was not an employee, she represented the insurer exclusively and performed a wide range of functions on the insurer’s behalf. Further, the insurer’s control over her was very similar to that of an employer training, managing, supervising and disciplining its employees.
Turning to the second stage of the test (requiring a sufficient connection between the tortfeasor’s conduct and his/her relationship with the defendant), the court noted that the fraud had been perpetrated in the context of a business model in which insurers relied on agents to promote and market their policies by developing close relationships with high net-worth policy holders. On the facts, the insurer further enhanced the risk of the agent’s fraud by allowing her to perform tasks on both sides without verification, including accepting her word as instructions and authorization from the customer. Given this business framework and the policy justifications of victim compensation and deterrence, the court found that there was a sufficient connection between the agent’s fraud and her relationship with the insurer so as to justify imposing vicarious liability.
- OLN Insights
1. Recent case law confirms that vicarious liability is not confined to employment relationships and can render an insurer liable for its agent’s fraud. Courts will look beyond the agent’s contract with the insurer in assessing if the agent is truly acting as an independent contractor or is effectively controlled by the insurer and integrated within the insurer’s enterprise.
2. Policy considerations, and particularly enterprise risk considerations, may lead a court to hold an insurer vicariously liable for an agent’s fraud in the current regulatory context, which (in Hong Kong as in Singapore) expects insurance companies to take responsibility for the management of its agents, particularly where agents are representing no more than a few insurers, and are seen by the public as representatives of their appointing insurer and an extension of their enterprise.
3. To mitigate exposure, insurers would be well advised to institute more robust controls to verify policyholder instructions rather than relying exclusively on agents to communicate with customers. Verification should be undertaken of significant policy-related requests from policyholders, including instructions on how to apply remitted and/or excess funds and policy surrender requests. For example, policy approval confirmation letters, premium payment letters, policy surrender letters and refund cheques could be mailed directly to the policyholder (with proof of delivery) rather than passed on through the agent.
About OLN's Insurance Practice Group
OLN’s Insurance Practice Group has direct experience of the legal, regulatory and practical challenges facing insurers and reinsurers throughout Asia region. Members of our Group have worked in the insurance industry and have extensive experience working in and advising insurers and reinsurers on contractual and regulatory matters and risk management issues relevant to their businesses. We have particular expertise in the review and drafting of contractual documentation relating to insurance and reinsurance activities, including the development of policy wording for life, accident, medical and health insurance products, and the review and vetting of related proposals, product brochures and training materials. We also have experience advising on disputes over coverage for claims under both life and general insurance policies, and with support from OLN’s Dispute Resolution Group, are well placed to represent clients in all aspects of insurance litigation.
For more information about any other insurance related matters, please contact:
Greg Crichton, Consultant
(852) 2868 0696
Adelina Wong, Consultant
(852) 2868 0696
Making an Apology
Parties in conflict and disputes rarely apologize to one another. No one wants to admit liability, and saying sorry is often seen as an admission of liability.
On 13 July 2017, the Legislative Council of Hong Kong passed the Apology Bill (soon to be the Apology Ordinance) to enable parties to apologize without fear of legal implications.
Historically, an apology is seen to be an implied admission of fault and/or liability. Such apology, whether written or oral, may constitute evidence of liability in civil proceedings.
Parties in dispute are therefore constantly advised by lawyers not to apologize for their actions, even if the party is in the wrong. The fear of legal implications overrode morality and common decency.
The Apology Ordinance
Under the Apology Ordinance, an apology is defined as an expression of regret, sympathy or benevolence. The apology need not be in writing. It can be oral or by conduct.
If a party has apologized, the Apology Ordinance provides that the fact of that apology will not constitute an express or implied admission of the person’s fault or liability and must not be taken into account in determining fault, liability or any other issue in connection with the matter to the prejudice of the person.
While evidence of an apology made by a person is not normally admissible as evidence for determining fault, the Apology Ordinance makes an exception. The exception is this:
If there is no other evidence available for determining an issue, it is possible for statements of fact contained in an apology to be admitted as evidence in the proceedings, provided that it is just and equitable to do so.
The following example may trigger the exception. One party may say to another:
“I am sorry about what has happened”
The above would not normally be admissible as evidence on liability. However, the situation may be different if the party apologizing goes on to say the following:
“The goods were not delivered to you because we had inadequate staff on that day.”
The above might be admissible as evidence even if the apology itself is not, particularly if the fact of adequate or inadequate staff became a relevant issue in civil proceedings and this was the only piece of evidence available in the proceedings. Clearly, this exception means that parties should take great care in how they apologize and what they should include in their apology.
The Apology Ordinance also has potential impact upon insurance coverage.
Section 10 of the Apology Ordinance provides that an apology does not render void or affect any insurance cover, compensation or other form of benefit for any person in connection with the matter. There is also an express prohibition against attempting to “contract out” of this section by, for example, a disclaimer or waiver of rights. This section also takes effect whether or not the contract of insurance was entered into before or after the commencement date of the Apology Ordinance.
Liability insurance policies typically contain conditions that an insured party shall not make any admissions of liability or prejudice the claim without the insurer’s prior consent. While Section 10 may avoid an admission of liability, potential problems may arise if the insured prejudices the claim by making an apology which contains facts that are later ruled as admissible by the Court for the reasons set out above. In such circumstances, there may be argument as to whether the additional facts appended to the apology can properly be regarded as being part and parcel of the apology itself.
When Will It Take Effect?
It is currently unclear as to the commencement date of the Apology Ordinance although it is expected to come into effect later this year (2017) or early next year (2018).
With the implementation of the Apology Ordinance, being the first jurisdiction in Asia to do so, Hong Kong is leading and consolidating its position as one of the foremost centers in the Asia region for mediation and dispute resolution.
Although similar legislations have been passed in the United States, Canada, Australia and the United Kingdom, only time will tell whether the Apology Ordinance will influence parties in Hong Kong to more readily apologise to each other for wrongful conduct.
What should be quite clear however is that making an apology is not all without its risks and parties should continue to take proper legal advice before doing so.
The Provisional Insurance Authority ( the ‘PIA’) is already in action and has just written to the Chief Executives of all authorized insurers (‘Insurers’). The communication covers two Guidance Notes ( previously ‘GN’ and now ‘GL’). Here we will focus only on one in summarizing what the PIA had to say in their letter.
GL4: Guideline on 'Fit and Proper' Criteria
New section 14A of the Insurance Ordinance will be effective on 26 June 2017. Section 14A sets out a list of matters that the Insurance Authority (the "IA") must have regard to when determining whether a person is 'fit and proper'. This is a new section which is applicable to controllers, directors, key persons in control functions and appointed actuaries of all Insurers. GL4 sets out the minimum standard of suitability requirements for these persons.
Transitional Arrangements for Key Persons in Control Functions:
Some Insurers may currently maintain one or more control functions and certain individuals may have been responsible for one or more of these control functions prior to 26 June 2017.
The IA shall introduce the following transitional arrangements effective 26 June 2017:
- For individuals who are responsible for any of the control functions of an Insurer before 26 June 2017 and within the definition of 'key persons in control functions' (the "Appointed Individuals"), relevant Insurers are required to submit applications for the IA's approval of their proposed appointments on 26 June 2017. Such applications must be submitted to the IA during the period from 26 June 2017 to 30 September 2017.
- They should be provided in the prescribed Form A1
- Application fees: HK$18,000 will be waived in respect of applications of the Appointed Individuals.
- The IA will consider and will notify the insurers of the application results as soon as practicable.
Transitional arrangements apply to the Appointed Individuals only. If an Insurer wishes to appoint an individual as a key person in any control function(s) on or after 26 June 2017, it must obtain the IA's prior approval.
For controllers, directors and appointed actuaries of Insurers who have already been duly appointed prior to 26 June 2017 in accordance with the relevant requirements, they are not required to seek the IA's re-approval. However, if an Appointed Individual assumes a dual role of both an appointed actuary and a key person in the actuarial function, approval will still be required.